Reverse engineering shopping cart security

All this talk about 555 timers is causing projects to pop out of the woodwork like this one that reverse engineers a shopping cart security mechanism. The wheel seen above listens for a particular magnetic signal and when encountered it locks down the yellow cowl, preventing the wheel from touching the ground and making the cart very hard to move.

[Nolan Blender] acquired one of these wheels for testing purposes and he’s posted some details about the hardware inside. But the first thing he did was to put together some test equipment to help find out details about the signal that trips the mechanism. He connected a coil to an audio amplifier and walked around the market looking for strong signals. Once he found a few strong bursts with that equipment he grabbed an oscilloscope, hooked it to the coil, and made some measurements. He found an 8 kHz signal at a 50% duty cycle at 30 ms intervals (it would be hard to make a better case for why you need an oscilloscope).

With the specs in hand, [Nolan] grabbed two 555 timers, an audio amplifier, and a 200 turn antenna around a ferrite core to build his own locking mechanism. If you’re ever stopped short in the middle of the market, just look for the hacker at the end of the aisle holding the homemade electronics.

[Photo source]

[Thanks Colin]

29 thoughts on “Reverse engineering shopping cart security

  1. I seem to remember a similar story a few years back. The hacker in question actually built his antenna into his clothing, and walked around Target, pressing a button occasionally when standing near another customer. I don’t remember whether he ever got caught.

    What I’d like to see next is the reverse–a way to unstick a stuck shopping cart.

  2. @Mohonri: Read the linked article, it goes over both locking and unlocking. If it still applies is another story (this paper is from 2000).

  3. Why would the unlocking be more complex than locking? The average shopping cart thief doesn’t even know what an 8kHz signal is, much less have the ability to generate one.

  4. very cool. I wonder how universal that signal is. I know at my local grocery store the lock mechanism is different (It locks internally, so the wheel technically never loses contact with the ground). I would love to be able to lock them for fun :P

  5. Shopping cart locking has been done to death now. In the UK nearly all the shopping cart locking systems are simply magnetic strips sunk into the ground. No fancy locking/unlocking codes here but it does mean that all you need is a magnet to set them off. It’s harder to trigger from a distance though.

  6. “He found an 8 kHz signal at a 50% duty cycle at 30 ms intervals (it would be hard to make a better case for why you need an oscilloscope).” — Mike Szczys

    derp, you don’t need a scope for that.
    you can measure that with a decent multimeter.

  7. Or you can record it with an audiorecorder and just run it through any audio analyzing software, 8KHz is easy to capture.
    I think some of the first people that hacked it did it that way.

  8. @ruthlesspirate
    thats what i was thinking. perhaps he stole too many?

    @strider
    Bubbles is a charactor from a Canadian television show called Trailer Park Boys.

    “kitties arent supposed to smell like cigerettes”

  9. FTA: “The system can be defeated, however it is unlikely that the kind of person that steals shopping carts would be inclined to develop an unlocking transmitter”

    … with the exception of the author, I assume ;-)

    Once while living in an urban center, there were so many abandoned ‘stolen’ carts left in front of my residence that I decorated them with xmas lights during the holidays (apparently individuals hired to retrieve them did not care for those carts left mangled, embedded within snow banks by the plows).

  10. I wonder a transmitter could be built small enough to fit in a backpack yet strong enough to broadcast the locking signal throughout the entire store in one shot.

  11. Reminds me of a time years back I made a “TV Jammer” from a kit, and hung out in the TV department of the competition…

  12. I think 8 Hz is the frequency the security alarms on the doors use. At least that was the case at a Walgreens I worked at. I guess the shopping cart security system is a 1000 times more awesome.

  13. fairly sure this is a repost(well, not a repost but the same thing has been posted before on hackaday

    various versions such as http://www.instructables.com/id/EMP-shopping-cart-locker/
    the cheap version, http://www.instructables.com/id/Shopping-Cart-Locker-THE-EASY-WAY-Improved-Range/ record the sound with a coil/audio input
    and you can view exactly what its doing on any audio editor
    play it back through a amp, works almost as good as a dedicated circuit!

  14. friend found some shop lifting tags in the parking lot of our mall. they had sirens built in and were sounding, they had been cut off something.
    they had texas instruments MSP430-F2001 processors, a 58khz tuned coil, battery, peizo, 2 switches, led, smt parts. They used a spring loaded pin to lock the device. Magnet to unlock.
    Case is glued closed.

    As the controller is likely locked, desoldering to try to read will likely be pointless.
    What should my friend do with these?
    Strip it and toss the rest?

  15. I invented this technology back in the mid 90’s. If you look up my name in the patent office you will see my patents. This particular model is a copy cat of my original product for Gatekeeper systems. Carttronics just copied much of the design except the goofy shovel like brake. The references to the 8khz locking signal were half right. The carrier is digitally encoded at at a low data rate. The carrier frequency was chosen to be under FCC part 15 regs. I also created the PURCHEK anti roll-out technology.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s